Research On Key Technologies Of SDN Northbound REST API Security Defense

Due to the lack of encryption,authentication,authorization management and other security mechanisms,the northbound REST API of Software Defined Network(SDN)is facing serious security threats.What’s more,there are three major problems in the related research: Firstly,there are lack of security threat analysis and controller software tests for REST type API in existing research;Secondly,there are little related research on REST type API in existing attacking method research of northbound API;Thirdly,the existing authorization management method of northbound REST API is coarse and its defense ability is weak.In order to solve the problems above,this paper aims at realizing the key technology of SDN northbound REST API security defense.First,this paper carries out two basic research work including security threat analysis based on STRIDE model and attacking method research of Floodlight controller,which has pointed out the defense target and provided research idea for security defense method.Aiming at the unresolved security threats found in the two basic work,security defense method based on fine granularity authorization management is proposed.Finally,the prototype system is designed and implemented.The main work is summarized as follows:1.A security threat analysis method for northbound REST API based on STRIDE model is proposed.Firstly,the STRIDE threat model of the REST API is built,and six kinds of possible security threats and attack methods are analyzed.Then,tests are carried out on five mainstream controllers to verify the actual security problems,and the authorization management mechanism is an unresolved security threat for all controllers.The work above identifies the defense target for subsequent defense methods.2.Attacking methods of Floodlight controller based on northbound REST API is proposed.Due to the authorization management problem of Floodlight REST API,information disclosure attacks,tampering attacks,denial of service attacks,and traffic hijacking attacks based on REST API are designed.Then,the attack principles are analyzed in detail,and the attack methods are verified,which shows the serious security problems caused by the attacks.The work above has provided a way of exploring the defense method from the prospective of attackers.3.A security defense method for northbound REST API based on fine granularity authorization management is proposed.First,the method is summarized,and then nine basic concepts,including permission request,permission check strategy and permission check,and three algorithms,including access authorization algorithm,permission check algorithm and strategy management algorithm,are described in detail by fomal modeling.The method is composed of authorization management,access management and policy management,and achieves security defense of API level.The method is able to check the permission request,manage the authorization and access request,and supports the policy configuration of administrators,which effectively prevents unauthorized calls of northbound REST API.4.SDNGuardian,a northbound REST API security defense system based on fine-grained authorization management,is designed and implemented.And functional tests and performance tests are performed on it.The results of the functional test show : 1)The system can provide normal authorization management services to the specified legal users without affecting the original functions of the Floodlight controller.2)The system can effectively defend against the attacks implemented in the third chapter using the REST interface;3)The system can effectively defend against the attacks using the REST API in the same permission group;4)The defense capability of the system is superior to the existing northbound REST API authorization management system.Performance test results show: The delay caused by the system for each interface call is at the microsecond level and does not affect the normal use.